b'                       U.S. Environmental Protection Agency                                                    09-P-0097\n                                                                                                        February 23, 2009\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                              Catalyst for Improving the Environment\n\n\nWhy We Did This Review            Results of Technical Network Vulnerability\nThe Office of Inspector\n                                  Assessment: EPA Headquarters\nGeneral (OIG) contracted with\nWilliams, Adley & Company,         What Williams, Adley & Company, LLP Found\nLLP to conduct the annual\naudit of the U.S.                 Test results identified 391 Internet Protocol (IP) addresses that contained\nEnvironmental Protection          vulnerabilities and EPA could only identify 118 of the IP addresses. This\nAgency\xe2\x80\x99s (EPA\xe2\x80\x99s) compliance       prevented EPA from taking immediate actions to address the identified\nwith the Federal Information      vulnerabilities. On September 23, 2008, the OIG issued Report No. 08-P-0273,\nSecurity Management Act.          Management of EPA Headquarters Internet Protocol Addresses Needs\nOIG contractors conducted         Improvement.\nnetwork vulnerability testing\nof the Agency\xe2\x80\x99s local area        Field work disclosed weaknesses in the quality of information EPA uses to track\nnetwork located at EPA\xe2\x80\x99s          the ownership of IP addresses. Specifically, network administrators were not\nHeadquarters in Washington,       updating the IP registry database with descriptive information to identify their\nDC.                               assigned IP addresses, nor were they adhering to EPA\xe2\x80\x99s naming convention policy\n                                  when describing the equipment or device in the database. Also, there is no\nBackground                        evidence that EPA conducted data quality reviews to ensure the IP address\n                                  database is accurate and complete.\nThe network vulnerability\ntesting was conducted to          This report summarizes discussions with EPA since the OIG issued report 08-P-\nidentify any network risk         0273, and transmits the full contents of the EPA Headquarters network\nvulnerabilities and present the   vulnerability test results. This report also forwards several medium-risk\nresults to the appropriate EPA    vulnerabilities identified at the EPA Region 9 office that require action by\nofficials to promptly             Headquarters personnel to remediate. Region 9 officials were unable to resolve\nremediate or document             these weaknesses because the network assets in question are managed by EPA\nplanned actions to resolve the    Headquarters personnel.\nvulnerability.\n                                   What Williams, Adley & Company, LLP Recommends\n\n                                  Williams, Adley & Company, LLP recommends that EPA should:\n\n                                  \xef\x82\xb7   Develop and implement procedures to update the IP registry database with\n                                      information that identifies the owner of the network resource and review the\n                                      database regularly for accuracy and completeness;\nFor further information,          \xef\x82\xb7   Take steps to remediate all unresolved security weaknesses at EPA\ncontact our Office of                 Headquarters and Region 9 and created a Plan of Actions and Milestones; and\nCongressional, Public Affairs     \xef\x82\xb7   Perform a technical vulnerability assessment test of Headquarters network\nand Management at\n(202) 566-2391.\n                                      and managed assets at Region 9.\n\n                                  Due to the sensitive nature of this report\xe2\x80\x99s technical findings, the full report is not\n                                  available to the public.\n\x0c'